By John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association
Ransomware attacks on hospitals are not white collar crimes, they are threat-to-life crimes because they directly threaten a hospital’s ability to provide patient care, which puts patient safety at risk. That development was reinforced during the early days of the COVID-19 outbreak, when phishing emails and other cyber attacks on hospitals increased because cyber criminals treated the pandemic as an opportunity to exploit, victimize and profit.
Even before COVID-19, the frequency, sophistication and severity of ransomware attacks on health care providers had increased over the past several years. Organized criminal gangs and military units have replaced rogue, individual hackers as the primary perpetrators. Law enforcement efforts, although laudable, have not been able to stem the rising tide of these attacks on hospitals and other critical infrastructure. Consequently, policies and approaches to protecting against ransomware need to change at the hospital, national and international levels, similar to how the approach to fighting terrorism evolved after 9/11.
Hospitals may feel powerless to stop cyberattacks and their motivations, but that is far from the case. Hospitals can improve their cyber defense and resilience by appreciating the new foes and risk levels they face, updating cybersecurity and enterprise risk management practices to correlate to the elevated threat level, and communicating the nature and seriousness of ransomware threats to staff, business partners, public policy organizations, law enforcement agencies and legislators.
The international health emergency has dramatically changed our way of life and that of the world, including in many ways how the world has come together for the greater humanitarian good. However, there is one group that views the COVID-19 crisis as an opportunity to exploit the humanitarian crisis for illicit purposes – cyber criminals.
At the onset of the crisis there was a dramatic increase in phishing email campaigns directed toward the health care sector and a nervous general public. These emails are themed under the guise of important information related to COVID-19. They make fake promises of N95 masks for sale or even raise false hope for hospitals to acquire lifesaving ventilators, but instead are often laden with malware and malicious links.
The threat I worry most about is a ransomware attack on an overloaded hospital caring for COVID-19 patients that would interrupt patient care, or worse, shut down operations at the facility – thereby putting frail patient lives and the community at risk. That happened March12th to Brno University Hospital, which is one of the Czech Republic’s largest coronavirus testing centers. The hospital was forced to redirect patients to other hospitals; the Children’s and Maternity Hospital in Brno was also hit at the same time.
To be clear, a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime – and therefore should be aggressively pursued and prosecuted as such by the U.S. government. I use the term “prosecuted” in all senses of the definition related to the government’s capabilities and authorities, which include and extend beyond the government’s law enforcement authorities found under United States Code (USC) Title 18.
This situation is analogous to 9/11. In the aftermath of those attacks, all of the government’s capabilities were brought to bear to detect, deter and disrupt terrorists – including terrorists outside U.S. borders that were beyond the reach of the FBI. In its whole-of-government approach, the U.S. leveraged its military authorities under USC Title 10 and its intelligence authorities under USC Title 50 to protect the homeland from foreign threats operating from the safe harbors provided by hostile nation states and non-cooperative foreign jurisdictions.
Sound familiar? It does if you realize that most cyber attacks on health care facilities today are not carried out by domestic, individual hackers. Similar to the 9/11 attacks, the vast majority of cyber criminals are operating from the safe haven of adversarial nation states that will not cooperate with or extradite these criminals to the United States. In many situations, these hostile nation states actually facilitate the cyber attacks against the U.S., because it may serve their national interests to do so. From their sheltered “firing positions,” these cyber criminals are remotely launching ransomware attacks against U.S. hospitals, medical research laboratories and other critical infrastructure – creating a direct threat to public health and safety.
How Ransomware Threats to Hospitals Have Changed
What is considered to be the first ransomware attack involved a Trojan Horse virus sent to AIDS researchers in 1989. Ransomware changed a lot from then until the current public health crisis. Ransomware has traditionally been considered a white collar crime that is often perpetrated by opportunistic amateurs or hobbyist hackers. Consequences were usually financial – not physical – harm.
Those long-time perceptions do not match the current reality in the health care and life sciences sectors. Now institutions are routinely targeted by full-time professional cyber gangs that are well trained, well equipped, well funded and often supported and sheltered by foreign governments. The perpetrators’ goals are to instill fear and disrupt day-to-day life, and perhaps to raise money to fund violent crimes and even potentially terrorist activities. It has been demonstrated that the rogue government of North Korea, a U.S. designated state sponsor of terrorism, developed and deployed the infamous WannaCry ransomware which struck hospitals around the world. Some cyber criminal groups are not centered on any political or religious cause and act as mercenaries. They carry out ransomware-as-a-service attack on behalf of clients that lack the cyber sophistication to penetrate their intended targets.
Not only are cyber criminals more organized than they were in the past, they are often more skilled and sophisticated. Those that conduct ransomware attacks as part of an ongoing criminal enterprise may reinvest some of their ill-gotten gains to develop more powerful malware and computer infrastructure to make their attacks harder to defend against, and make the perpetrators harder to catch.
One example of how cyber criminals have become more sophisticated that is extremely troubling for hospitals is that hackers now specifically target medical devices, not only networks, servers, PCs, databases and medical records. For example, the 2017 WannaCry ransomware attack infected 1,200 diagnostic devices, caused many others to be temporarily taken out of service to prevent the malware from spreading, and forced five United Kingdom hospital emergency departments to close and divert patients, according to an investigative report by the UK National Audit Office (NAO). The investigation also found the attack (which was launched against targets around the world) infected at least 81 of the 236 National Health System (NHS) hospitals in England plus 603 primary care and 595 medical practices, which caused more than 19,000 appointments to be canceled.
WannaCry is illustrative of the modern cyber threats to hospitals for several reasons:
- WannaCry was a coordinated, global attack, not an isolated attempt on one hospital or health system. It hit companies and organizations in 150 countries on the first day.
- The FBI considers WannaCry the first ransomware attack to widely target vulnerabilities commonly found in medical devices.
- An international investigation by the FBI and the U.S. Department of Homeland Security concluded the attack originated in North Korea and was sponsored by the North Korean government, possibly in retaliation for economic sanctions related to its nuclear program.
WannaCry should be viewed as an indicator of the trend that followed rather than as an isolated incident. Consider, the Russian military is believed responsible for developing the NotPetya ransomware virus, which compromised several health systems and was intentionally developed without the capability of being decrypted. Ryuk is an ongoing, well known ransomware gang that operates from Russia. The SamSam ransomware attacks were carried out from Iran by Iranian nationals, with evidence pointing to backing by the Iranian government. Separately, in 2018 the U.S. Department of Justice charged nine Iranians that worked for the country’s Mabna Institute with conducting a cyber theft campaign against academic researchers and other institutions to benefit Iran’s Revolutionary Guard Corps, which the U.S. has designated as a foreign terrorist organization.
Why These Changes Matter to Hospitals
Unfortunately, there are more examples of similar state-sponsored activities. Government and terrorist groups are using cyber crime as a way to level the playing field against more powerful adversaries such as the U.S., which they know they could not defeat in a direct, head to head military confrontation. They know they are at less of a disadvantage by engaging in asymmetrical warfare, using difficult to attribute cyber attacks to achieve their foreign policy, military and intelligence objectives. Unfortunately, and inexcusably, this sometimes either places hospitals directly in the crosshairs of the U.S.’s cyber adversaries, or makes them become foreseeable collateral damage.
Another sign of ransomware’s increased sophistication is its relative effectiveness rate – ransomware accounted for more than 70 percent of the successful cyber attacks on health care organizations in each of the past two yearsi. That is especially notable since the study covered the two years immediately after WannaCry, when hospitals were on high alert for ransomware and many were making changes to strengthen their defenses against it. The cyber criminals’ success under those circumstances suggests new approaches are needed to protect hospital systems and the public health infrastructure.
Hospitals must be vigilant, continuously evolve their cybersecurity processes and policies, and expand their technical and human threat information sharing channels to more effectively combat the modern ransomware threat. Potential internal changes go beyond keeping cybersecurity systems up to date and could include effectively integrating cyber risk management into the enterprise risk management, and elevating cyber protection oversight to the board level. Hospitals also need to look outward to collaborate with peers in health care, leaders in other sectors and with law enforcement and government agencies that coordinate cyber threat information sharing and offer resources to improve protection.
What Can Be Done?
Hospital efforts alone are not enough to reshape the geopolitical forces that lead to many cyber attacks on them. Cyber risk to the health care sector is now directly influenced by the geopolitical climate. As such, the effort to protect hospitals and patients must include involving law enforcement, legislative, military and intelligence assets in their defense.
Such a coordinated federal response is appropriate because the evolution of ransomware has changed it from an economic crime to one that puts public health and safety at risk. A ransomware attack that causes a hospital to suspend patient care operations is akin to a mass-casualty terrorist attack. Like military attacks on hospitals, cyber attacks on hospitals violate all internationally accepted norms of warfare.
One of the current disconnects is that the laws that are typically used to prosecute cyber crimes are not commensurate with the level of harm cyber attacks on hospitals can cause. For example, USC Title 18 §1030 is the Computer Fraud and Abuse statute that is used to prosecute hacking activity and other crimes related to computers. It carries a maximum sentence of 20 years in prison. But, due to sentencing guidelines related to this statute, sentences meted out are often far less than 20 years. Hardly a deterrent for an international ransomware criminal that has a low probability of being apprehended and could be reaping millions of dollars in illegal profits.
Change the approach without adding laws
We do not need more laws to improve legal deterrence for cyber crimes against hospitals. Rather, we should make better use of the laws and other law enforcement tools that are already available. For example, USC T18 §1030 is most appropriate for prosecuting some ransomware attacks, but can be made more powerful when combined with or replaced with alternate prosecution strategies which include other federal statutes covering Racketeer Influence and Corrupt Organizations, money laundering, commercial extortion, homicide and even terrorism. These additional crimes carry far more serious penalties that are more consistent with the threat to life element presented by disruptive cyber attacks against hospitals.
U.S. response to cyber attacks against health care infrastructure should also expand beyond heavy reliance on USC Title 18 for criminal investigation and prosecution. The authorities provided under USC Titles 10, 31 and 50 should all be invoked as necessary to provide more effective and robust options to deter and disrupt foreign-based adversaries that attack U.S. hospitals and health systems.
- Title 31 allows the Treasury Department, through the Office of Foreign Asset Control (OFAC), to put financial sanctions on foreign entities that have conducted or facilitated cyber attacks against U.S. organizations. OFAC sanctions also make it a crime for any other entity or person to conduct business with an OFAC-designated entity.
- Titles 10 (military authorities) and 50 (intelligence authorities ) can improve domestic cyber defenses by putting the U.S. on the offensive. They could be invoked to take an “active” or “forward” defensive posture to proactively disable and disrupt foreign-based cyber threats. The vast resources, knowledge and capabilities of the U.S. Cyber Command, National Security Agency (NSA), CIA and rest of the intelligence community are unmatched and could be used to augment and support law enforcement actions, as was done in the war on terrorism post 9/11.
Australia has already taken a similar approach to protecting its health care infrastructure during the COVID-19 pandemic. In April 2020, the Department of Defence announcedii it was “hitting back” against foreign criminals that targeted Australia’s health care infrastructure by using the Australian Signals Directorate to disable their infrastructure. “Our offensive cyber campaign has only just begun and we will continue to strike back at these cyber criminals operating offshore as they attempt to steal money and data from Australians,” Minister for Defence Linda Noble said.
In the U.S., support is building to take a similar approach, both in direct response to COVID-19 and for an ongoing effort to protect hospitals. In April 2020, five U.S. Senators asked the Department of Homeland Security and the U.S. Cyber Command to “Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.” In 2013, then-Secretary of Defense Leon Panetta asked policymakers to elevate cyber security for the health care sector.
Expand public-private partnerships and cross-industry efforts
Hospital leaders can take a more direct role in strengthening the sector’s cyber defenses by participating in and promoting public-private partnerships and other collaborative efforts. Threat information sharing and other joint efforts can decrease the likelihood of successful attacks and help organizations recover and resume operations more quickly. Both of those outcomes decrease the financial incentive to carry out ransomware attacks. The American Hospital Association, the Healthcare-Information Sharing and Analysis Center (H-SAC) and the HHS-sponsored Health Care Industry Cyber Security Task Force have separately urged more public-private partnerships to improve cyber security in a “whole of nation” approach to defend against cyber threats.
In the realm of cyber defense there is no competitive advantage between organizations, especially in healthcare. All face the same threats and the same potential consequences, Thus, all have the same incentive to exchange threat information freely - for the common defense and for the defense of public health and safety. A phrase I started saying while in the FBI still applies, “to defend one is to defend all.”
The U.S. federal government already helps victims recover from ransomware and destructive attacks with cross-agency rapid response teams that can involve HHS, the FBI, DHS and in extreme instances, the NSA. These teams have made it harder to carry out successful attacks and helped victims recover data and resume operations.
The Critical Infrastructure Protection Program organized by DHS is one of the public-private partnerships open to hospitals and health systems. The collaborative effort between HHS and the Healthcare and Public Health Sector Coordinating Council (HSCC) specifically work on cybersecurity and other healthcare infrastructure protection issues. In 2019 the HSCC issued guidelines for developing and using cyber-secure medical devices, and released its Joint Security Plan after bringing together providers and device makers. In 2019, the HSCC also published the Health Industry Cybersecurity Practices, developed through a national collaborative effort between experts in the field and government.
Ransomware and other cyber attacks on hospitals have evolved. The crime itself has changed from one that is financially motivated to an act that also represents a threat to life that endangers public health. The defenses and strategies to protect against these threats, and the enforcement actions taken to punish the attackers, need to change too. Leveraging the entire law enforcement, intelligence and military capabilities of the U.S. government is necessary to achieve swift and certain consequences against these attackers. This may be the only way to effectively deter and disrupt these foreign adversaries that threaten our hospitals and communities.
Committing to greater collaboration will enhance hospital efforts to protect themselves against modern cyber threats. Hospitals should proactively get to know appropriate staff at their local FBI and DHS offices. Those professionals would play a leading role in responding to and investigating a cyber attack, and can help prevent a successful one through information sharing. Hospitals should also collaborate to share information with other hospitals and businesses in their area. Internal collaboration among IT, risk management, clinical, administrative and executive staff, and crucially the board, will help align organizational culture, risk management and cybersecurity practices to lessen the likelihood of a successful attack.
The American Hospital Association stands ready to help with resources about the latest and ongoing cybersecurity threats and how to protect against them.
i2019 Verizon Breach Report. Accessed May 14, 2020.
iiAustralian Government Department of Defence. “On the offensive against COVID-19 cyber criminals” April 7, 2020. Accessed May 15, 2020.